| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20110422211649.GW16484@one.firstfloor.org> Date: Fri, 22 Apr 2011 23:16:49 +0200 From: Andi Kleen <andi@...stfloor.org> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: Andi Kleen <andi@...stfloor.org>, linux-fsdevel@...r.kernel.org, akpm@...ux-foundation.org, linux-kernel@...r.kernel.org, npiggin@...nel.dk, shaohua.li@...el.com, sds@...ho.nsa.gov, jmorris@...ei.org, linux-security-module@...r.kernel.org, Eric Paris <eparis@...isplace.org> Subject: Re: Make RCU dcache work with CONFIG_SECURITY=y On Fri, Apr 22, 2011 at 11:26:09AM -0700, Linus Torvalds wrote: > On Thu, Apr 21, 2011 at 5:23 PM, Andi Kleen <andi@...stfloor.org> wrote: > > > > I didn't find good test suites for the security modules, so > > there wasn't a lot of testing on this unfortunately > > (the selinux one for LTP doesn't seem to work). Some close > > review of these changes is needed. > > > > On the other hand the VFS changes itself are very straight forward > > and the 1/1 patch is very straight forward (and a win in itself) > > > > The bottom line is with this patchkit a CONFIG_SECURITY=y > > kernel has as good VFS performance as a kernel with CONFIG_SECURITY > > disabled. > > Gaah. My immediate reaction to the patch-series was "This is great, I > was really hoping we could get all those annoying cases sorted out, > and I'll queue them for the next merge window". > > Having then actually read through the patches a bit more, I then got > convinced that at least the first patch should probably be applied > right away and be marked for stable, since it looks pretty damn > obvious to me, and it might already on its own fix the performance > regression for some configurations (although realistically I guess few > enough people really do the "selinux=0" thing, so the big advantage is > making easier to backport the other patches later if we don't do them > now). Yes I agree. The first patch is (nearly) a no-brainer and already has significant benefits. I would like to see it in .39. > Comments? I'd really like to see/hear feedback like "yeah, this looks > really obviously safe" vs "yeah, looks good, but I really don't feel > very comfortable with it" from the security people. Especially SMACK review is needed. Or maybe selinux only for now, already got one ack for that. (BTW I have some doubts on the locking in smack in general, but that's a separate issue -- see other thread) -Andi -- ak@...ux.intel.com -- Speaking for myself only. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists